The Flame malware that was likely spawned by a nation-state to spy on Iran employed a highly sophisticated cryptography attack that allowed it to pierce defenses Microsoft added to later versions of its Windows operating system, new research shows.

The "chosen prefix collision attack," which exploited known weaknesses in the aging MD5 cryptographic hashing algorithm, was used to remove text strings from counterfeit certificates the attackers used to hijack the Windows Update process. If the critical extension had been allowed to remain in the certificates, they would have caused machines running Vista and later versions of Windows to reject the updates, Microsoft researchers said in a report published Wednesday.

The counterfeit certificates, which were minted by exploiting weakness in Microsoft's Terminal Server product, worked only against versions that predated Vista. But by using the collision attack to remove the "Microsoft Hydra" extension from the certificate's cryptographic hash, they were able to trip up machines running Vista, Server 2008, and Windows 7 as well. In a separate report also published Wednesday, a Kaspersky researcher said the technique gave Flame powerful control over machines running Microsoft's most fortified operating systems.

"What we've found now is better than any zero-day exploit," Alex Gostev, chief security expert at Kaspersky Lab, wrote. "It actually looks more like a 'god mode' cheat code—valid code signed by a keychain originating from Microsoft."

Slaying Hydra

Separate capabilities in Flame were designed to allow the espionage malware to spread from machine to machine inside a victim's network. It worked by setting up a fake server that masqueraded as a legitimate source for Windows updates. For the proxies to work they needed to include the imprimatur of Microsoft's root authority key, and that's where the fraudulent certificates came in. By exploiting weaknesses in the way Terminal Server issued end-user licenses, the Flame attackers were able to create certificates that were authorized by Microsoft's sensitive root to verify their malicious code was legitimate.

But the Flame attackers had one more hurdle to jump through: Credentials ultimately derived from the Terminal Server exploit still contained the Hydra extension, and that flag in turn would cause Vista and later Windows versions to reject the certificate. To remove the extension, they relied on the highly esoteric collision attack, in which two different plaintext sources generate the same cryptographic hash. They used that attack to generate a similar looking certificate that removed the Hydra data and other fields constraining its permitted use. A 2008 exploit that used that technique allowed researchers to create a rogue certificate authority that was trusted by all browsers.

"Without this collision attack, it would have been possible to sign code that would validate on systems pre-dating Windows Vista, but that signed code would fail validation on Windows Vista and above," Jonathan Ness, of Microsoft Security Response Center Engineering, wrote in Wednesday's blog post. "After this attack, the attacker had a certificate that could be used to sign code that chained up to the Microsoft Root Authority and worked on all versions of Windows."

As previously reported, Microsoft on Sunday issued an emergency update to all Windows users that invalidated the entire certificate chain used by the Terminal Server licensing mechanism. In the Wednesday post, Ness said Microsoft has replaced the mechanism's chain with a new hierarchy that's no longer linked to the company's Root Authority. Instead, it has a stand-along root that's not trusted by the rest of Windows. The certificates use SHA-1, an algorithm that cryptographers consider much stronger than MD5. Microsoft has also curtailed the practice of issuing code-signing certificates under the licensing regimen.

Ness's post never explained one of the biggest mysteries arising from the Flame aftermath, which is why Microsoft engineers designed the old system with such poor key management. The Microsoft Root Authority is the cryptographic equivalent of a master key that can unlock virtually any door in the company's sprawling body of software. Tying that authority to Terminal Server's licensing mechanism is tantamount to using a hotel's universal key to control access to the janitor closet.

Just to be clear, this isn't some sort of drive-by attack right? The virus would still need to be installed in order for it to connect to the false server and download the falsified updates right? (or someone else on the network)

But damn this is going to be a big problem for MS to clean up. If it was just pre-vista I could see them blowing it off, but with 7 being vulnerable, that's a big problem.

EDIT: The linked article doesn't really say anything about using its base to break newer SHA-1 keys. As far as I can tell it just mentions using the older MD5 keys. Especially since it looks like the update fixes it by revoking all of their MD5 keys.

The NSA used to provide comprehensive guides for locking down various OS. Windows can be made as secure as anything else, provided you take prudent measures to reduce attack surface, use proper firewalling and whitelisting, and keep tight control over what's installed and who has access.

Why exactly are these so called sensitive secure facilities using windows anyway? You would think they would be running some kind of hardened nix variants.

Properly configured, recent versions of Windows are the same security quality as the unixes. If the victims had been using Linux, we'd be reading about a critical game-over armageddon bug in Linux right now.

There are OSs more secure than either, but they don't exactly run desktop software.

If the victims had been using Linux, we'd be reading about a critical game-over armageddon bug in Linux right now.

This. Or, heaven forfend, OSX. The point is that this malware/trojan/whathaveyou is the product of a group of extremely skilled, well funded people who had fairly specific targets in mind. I have no doubt that the group(s) that produced Stuxnet, Duku, and now Flame, could have done this to virtually any OS platform they choose to target

Now, the attack and compromise of the Automatic Update service is novel and terrifying. But again, I bet they could have just as easily rooted a Linux box to take control of whatever software install/update method it uses, or found a way to present illegitimate updates to OSX.

Having Automatic updates exploded in this way is very scary, I am just glad it was with MD5 rather than a newer key system. I think at this point there is no doubt that a well funded government agency did this, and that they could do it to any OS, Microsoft is just the most commonly used.

> "...one of the biggest mysteries arising from the Flame aftermath, which is why Microsoft engineers designed the old system with such poor key management."

That's not much of a mystery. These are the same engineers who thought Windows ME was good enough to ship. The same developers who gave the world IE5 and IE6. The same developers who designed a printer-setup dialog that requires you to choose "non-networked printer" to install a network printer.

It isn't actually that big of a mystery. In hindsight, we realize it was a bad idea. At the time, it seemed reasonable to put all of the keys on a single keyring.

To have the janitor be able to open the hotel safe is obviously a bad idea. So obviously nobody would allow such a thing. (I hope.)

Going the other way isn't quite so obvious. The master key for a hotel very well might open the hotel's janitor closet. While that might turn out to cause a security problem, it isn't quite so obvious at first.

Carrying the metaphor a bit too far, the problem with Microsoft's system was the fact that the janitor's key and the master key are compatible with the same keying system and that any hotel staff could get a copy of the janitor's key without any trouble. So the bad guys got a copy of the janitor's key, made some modifications until they got one that worked in the rooms they wanted.

> "...one of the biggest mysteries arising from the Flame aftermath, which is why Microsoft engineers designed the old system with such poor key management."

That's not much of a mystery. These are the same engineers who thought Windows ME was good enough to ship. The same developers who gave the world IE5 and IE6. The same developers who designed a printer-setup dialog that requires you to choose "non-networked printer" to install a network printer.

Microsoft made a dumb engineering decision? Yup, par for the course.

Could be a legacy issue as well. Remember that LANMAN is disabled but present from Vista onwards. Windows Update shipped with Win98, SHA hashing was first documented in 93-95.

Just to be clear, this isn't some sort of drive-by attack right? The virus would still need to be installed in order for it to connect to the false server and download the falsified updates right? (or someone else on the network).

This is my question too. If you are getting updates from Windows update, or a WSUS server, your clients shouldn't be looking at other workstations for updates.

Unless there is some other part to this, like poisoning a DNS server, I don't get how this security hole will help it spread on it's own. Certainly if someone is running an excecutable or something that makes sence, but that's not how it sounds like with these doom/gloom stories.

The more I read about this the scarier it gets. If it wasn't already obvious before, this Flame is a magnitude more advanced than Stuxnet ever was.

I think I've patched every machine in the house the second that update was released. I'm not gonna lie though. I've been tempted to stay booted in Mint for a couple days just out of undue paranoia.

linux security is, to put it lightly, no cakewalk... but i feel like i actually have a handle on what's going on inside the computer! though windows is glossy and automated, i have no idea what lurks beneath the surface. it's sort of the OS equivalent of you are what you eat. god knows what's in a microsoft cheeseburger, even if linux tofu requires some TLC and preparation time before it's as tasty.

there's probably also some correlation to be drawn between linux zealots and vegans.

myself, i stay informed and cut crap out of my diet all the time... but i'm not completely a vegan yet. big kahuna burger ftw.

linux security is, to put it lightly, no cakewalk... but i feel like i actually have a handle on what's going on inside the computer! though windows is glossy and automated, i have no idea what lurks beneath the surface.

If you actually care, each default service in Windows is documented and you can exercise a very fine degree of control over said services (unless you try to fuss with something like the RPC service, on which a lot of other things rely), the firewall is reasonably competent (at least in 7) and has a very detailed interface in advanced mode (which even shows you what services use the network and what their permissions are), and beyond that, it's on you, the end user, to not install random crap that you then fail to control.

Just because you can get the source code for random Linux stuff does not make it any less of a potential black box unless you are actually a programmer.

Just to be clear, this isn't some sort of drive-by attack right? The virus would still need to be installed in order for it to connect to the false server and download the falsified updates right? (or someone else on the network).

This is my question too. If you are getting updates from Windows update, or a WSUS server, your clients shouldn't be looking at other workstations for updates.

Unless there is some other part to this, like poisoning a DNS server, I don't get how this security hole will help it spread on it's own. Certainly if someone is running an excecutable or something that makes sence, but that's not how it sounds like with these doom/gloom stories.

Am I missing something?

Best i can tell, Flame announces itself on the network as a general proxy. Unless Windows is set to ignore these announcements, it will from that point forward direct its traffic via said proxy.

Why exactly are these so called sensitive secure facilities using windows anyway? You would think they would be running some kind of hardened nix variants.

Properly configured, recent versions of Windows are the same security quality as the unixes. If the victims had been using Linux, we'd be reading about a critical game-over armageddon bug in Linux right now.

There are OSs more secure than either, but they don't exactly run desktop software.

It isn't actually that big of a mystery. In hindsight, we realize it was a bad idea. At the time, it seemed reasonable to put all of the keys on a single keyring.

your choice of the pronoun "we" has piqued my interest.

I believe that you are also a person that realizes that this was a bad idea. That means both you and I realize this was a bad idea. You + I = We. That word choice was intentional, and I didn't mean to imply anything. The "we" definitely did not mean to include "Microsoft" or "the Microsoft Security Team".

That said, I do work at Microsoft. I don't mean to hide it, but I don't like to flaunt it either. I don't speak on behalf of Microsoft, so any "we" is "me and the other Ars readers", not "me and my employer". I *try* to keep an open mind on things. If anybody is a critic of Microsoft, I am. (Of course, I'm not unbiased. I'll often remain silent instead of adding fuel to the fire when Microsoft has done something obviously stupid. I do want to keep my job.)

The NSA used to provide comprehensive guides for locking down various OS. Windows can be made as secure as anything else, provided you take prudent measures to reduce attack surface, use proper firewalling and whitelisting, and keep tight control over what's installed and who has access.

> "...one of the biggest mysteries arising from the Flame aftermath, which is why Microsoft engineers designed the old system with such poor key management."

That's not much of a mystery. These are the same engineers who thought Windows ME was good enough to ship. The same developers who gave the world IE5 and IE6. The same developers who designed a printer-setup dialog that requires you to choose "non-networked printer" to install a network printer.

Microsoft made a dumb engineering decision? Yup, par for the course.

IE5 and IE6 were both, by far, the best browsers in the world at the time they were released. That is why we hate them now -- they were good enough.

Any senior programmer should know that the biggest obstacle to progress is the good-enough. If you make a prototype, there is a major danger that management will decide that it is good enough and that the real production system should be scrapped in favor of the prototype, leading to production applications serving thousands of customers off of an Access database.

IE5 and IE6 were so good that they got insanely good market penetration. 10 years later, when standards have advanced by 10 years, we all want to move on and get our customers to use a browser that parses our nifty new HTML5 pages. But the customers are happy with their IE6 browser, and their internal websites take advantage of IE6-specific behavior so migrating forward is expensive. This isn't because IE6 was bad, it is because it is OLD and because it was, at the time of its release, the BEST.

By modern standards, sure, IE6 is lousy. But you can't compare it against modern browsers. That makes no sense.

If the victims had been using Linux, we'd be reading about a critical game-over armageddon bug in Linux right now.

This. Or, heaven forfend, OSX. ....But again, I bet they could have just as easily rooted a Linux box to take control of whatever software install/update method it uses, or found a way to present illegitimate updates to OSX.

Why, whats wrong with OSX? was there any flaws discovered in its security architecture that attracted issues like windows did? I can think of countless silly bugs in MS's security architecture which have led to vulnerabilities over its existence, but only very surface level security issues in nix variants including OSX.

Or are you believing all the stuff that anti-virus pedlars are spouting about OSX scared they might loose business if they are revenue generating windows goes down in popularity.

....IE5 and IE6 were both, by far, the best browsers in the world at the time they were released. That is why we hate them now -- they were good enough...

No they weren't. Despite being fast. The number of crashes or buggy javascript handling, weird layout bugs even then didn't compensate for any positive attributes of it. It was a shameful coding along with poor architectural decisions with plugins/activex/tight integration with windows leading to years of security malaise.

MS did have lots of opportunities to fix it.. the worst part is acted as if software development on browsers were dead and let it stagnate and rot.

No, it was more in the way of a slightly sarcastic dig at the people who go berserk anytime a flaw in anything Apple is discovered. Supposed to be humorous, but I forget sometimes that in text I must supply more context for my sarcasm to read well.

I like OS X perfectly well, my Mac Pro and MacBook Pro serve me well for photo work and general mobility (excellent battery life, OS X and W7 on the same machine). Windows is my day to day get things done and play games OS, Server 2008 R2 handles my other needs (WSUS, SQL, Exchange 2010 for giggles, Sharepoint experiments), pfSense (FreenBSD) for a firewall, and at work we use Linux servers for a couple of web projects in addition to our Windows infrastructure. Right tool for the right job is my primary consideration when choosing ... well anything really.

Would it be so odd if Microsoft (and Apple) have knowingly given these tools to the clandestine services in the US? They are US companies, and they could easily make a deal whereby the company disavows any connection and the government understands that the companies will throw their hands in the air when the malware goes public, then the companies push an update that has been available for just such an eventuality.

Tinfoil hat? Could be. But the telecoms companies have been doing this for years.

If the victims had been using Linux, we'd be reading about a critical game-over armageddon bug in Linux right now.

This. Or, heaven forfend, OSX. ....But again, I bet they could have just as easily rooted a Linux box to take control of whatever software install/update method it uses, or found a way to present illegitimate updates to OSX.

Why, whats wrong with OSX? was there any flaws discovered in its security architecture that attracted issues like windows did? I can think of countless silly bugs in MS's security architecture which have led to vulnerabilities over its existence, but only very surface level security issues in nix variants including OSX.

Or are you believing all the stuff that anti-virus pedlars are spouting about OSX scared they might loose business if they are revenue generating windows goes down in popularity.

the sane and rational person knows that ALL systems can be defeated. When it comes to security, brand fanboism has no place in the discussions.

MS did have lots of opportunities to fix it.. the worst part is acted as if software development on browsers were dead and let it stagnate and rot.

What's ironic is that by stacking out the deluxe version of Office (e.g. via Outlook, Project, Visio, etc.), MS basically killed the whole mainstream third-party business software world that had been writing to the Windows API, and third party dev went to the web, not Windows. So while it let its browser rot, the whole rest of the software development world (for mainstream stuff) moved to web apps.

If the victims had been using Linux, we'd be reading about a critical game-over armageddon bug in Linux right now.

This. Or, heaven forfend, OSX. ....But again, I bet they could have just as easily rooted a Linux box to take control of whatever software install/update method it uses, or found a way to present illegitimate updates to OSX.

Why, whats wrong with OSX? was there any flaws discovered in its security architecture that attracted issues like windows did? I can think of countless silly bugs in MS's security architecture which have led to vulnerabilities over its existence, but only very surface level security issues in nix variants including OSX.

Or are you believing all the stuff that anti-virus pedlars are spouting about OSX scared they might loose business if they are revenue generating windows goes down in popularity.

the sane and rational person knows that ALL systems can be defeated. When it comes to security, brand fanboism has no place in the discussions.

especially when said OS is being broken into by a government cyberwarefare group.